mnick-nm
commented
6 years ago this was updated by pulling the latest version of klar
Closed mnick-nm closed 6 years ago
mnick-nm
commented
6 years ago this was updated by pulling the latest version of klar
We have a centos image that we've updated with the fixed by in the below block. The clair scan via klar is still failing. We've done a lot to debug, including running the new images and printing out their packages and versions. Again, the fixed by produced by our scans is the version of the packages we have implemented. Any suggestions on how to navigate this scenario?
{ "LayerCount": 2, "Vulnerabilities": { "High": [ { "Name": "RHSA-2017:2832", "NamespaceName": "centos:7", "Description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.", "Link": "https://access.redhat.com/errata/RHSA-2017:2832", "Severity": "High", "FixedBy": "0:3.28.4-12.el7_4" }, { "Name": "RHSA-2017:2832", "NamespaceName": "centos:7", "Description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.", "Link": "https://access.redhat.com/errata/RHSA-2017:2832", "Severity": "High", "FixedBy": "0:3.28.4-12.el7_4" }, { "Name": "RHSA-2017:2832", "NamespaceName": "centos:7", "Description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Martin Thomson as the original reporter.", "Link": "https://access.redhat.com/errata/RHSA-2017:2832", "Severity": "High", "FixedBy": "0:3.28.4-12.el7_4" }, { "Name": "RHSA-2017:1680", "NamespaceName": "centos:7", "Description": "The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security Fix(es): * A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request. (CVE-2017-3143) * A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet. (CVE-2017-3142) Red Hat would like to thank Internet Systems Consortium for reporting these issues. Upstream acknowledges Clement Berthaux (Synacktiv) as the original reporter of these issues. Bug Fix(es): * ICANN is planning to perform a Root Zone DNSSEC Key Signing Key (KSK) rollover during October 2017. Maintaining an up-to-date KSK, by adding the new root zone KSK, is essential for ensuring that validating DNS resolvers continue to function following the rollover. (BZ#1459649)", "Link": "https://access.redhat.com/errata/RHSA-2017:1680", "Severity": "High", "FixedBy": "32:9.9.4-50.el7_3.1" } ] } } ERROR: Job failed: exit code 1